-
Notifications
You must be signed in to change notification settings - Fork 421
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update dependency jquery-ui to v1.13.2 [SECURITY] #1068
Open
renovate
wants to merge
1
commit into
master
Choose a base branch
from
renovate/npm-jquery-ui-vulnerability
base: master
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
renovate
bot
force-pushed
the
renovate/npm-jquery-ui-vulnerability
branch
from
August 1, 2022 03:55
8748741
to
884f993
Compare
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## master #1068 +/- ##
=======================================
Coverage 69.28% 69.28%
=======================================
Files 59 59
Lines 5088 5088
Branches 1072 1072
=======================================
Hits 3525 3525
Misses 1536 1536
Partials 27 27 ☔ View full report in Codecov by Sentry. |
renovate
bot
force-pushed
the
renovate/npm-jquery-ui-vulnerability
branch
3 times, most recently
from
August 10, 2022 19:54
01f44e3
to
740fee7
Compare
renovate
bot
force-pushed
the
renovate/npm-jquery-ui-vulnerability
branch
from
August 16, 2022 00:51
740fee7
to
be4f514
Compare
renovate
bot
force-pushed
the
renovate/npm-jquery-ui-vulnerability
branch
2 times, most recently
from
September 6, 2022 15:39
843cd23
to
7f74941
Compare
renovate
bot
force-pushed
the
renovate/npm-jquery-ui-vulnerability
branch
7 times, most recently
from
October 1, 2022 05:32
2b387aa
to
2d404b8
Compare
renovate
bot
force-pushed
the
renovate/npm-jquery-ui-vulnerability
branch
from
October 3, 2022 05:34
2d404b8
to
7b2fbc3
Compare
renovate
bot
force-pushed
the
renovate/npm-jquery-ui-vulnerability
branch
2 times, most recently
from
November 18, 2022 18:29
d73a990
to
bdb30f1
Compare
renovate
bot
force-pushed
the
renovate/npm-jquery-ui-vulnerability
branch
3 times, most recently
from
December 7, 2022 05:06
802dae6
to
e0b27ea
Compare
renovate
bot
force-pushed
the
renovate/npm-jquery-ui-vulnerability
branch
3 times, most recently
from
December 15, 2022 09:41
65ce003
to
69e9aef
Compare
renovate
bot
force-pushed
the
renovate/npm-jquery-ui-vulnerability
branch
2 times, most recently
from
December 22, 2022 06:23
1875650
to
fa336c7
Compare
renovate
bot
force-pushed
the
renovate/npm-jquery-ui-vulnerability
branch
3 times, most recently
from
December 29, 2022 22:33
5476b81
to
196fe1f
Compare
renovate
bot
changed the title
Update dependency jquery-ui to 1.13.2 [SECURITY]
Update dependency jquery-ui to 1.13.2 [SECURITY] - autoclosed
Dec 31, 2022
renovate
bot
force-pushed
the
renovate/npm-jquery-ui-vulnerability
branch
2 times, most recently
from
February 20, 2024 19:57
44b67b9
to
f3b805e
Compare
renovate
bot
force-pushed
the
renovate/npm-jquery-ui-vulnerability
branch
from
February 29, 2024 21:36
f3b805e
to
80a12ee
Compare
renovate
bot
force-pushed
the
renovate/npm-jquery-ui-vulnerability
branch
from
June 19, 2024 12:49
80a12ee
to
05d9fc1
Compare
renovate
bot
force-pushed
the
renovate/npm-jquery-ui-vulnerability
branch
3 times, most recently
from
August 30, 2024 15:37
5d0c508
to
3a6321c
Compare
renovate
bot
force-pushed
the
renovate/npm-jquery-ui-vulnerability
branch
3 times, most recently
from
September 18, 2024 20:10
2577506
to
89fb388
Compare
renovate
bot
force-pushed
the
renovate/npm-jquery-ui-vulnerability
branch
4 times, most recently
from
October 3, 2024 14:32
dbbf797
to
5b398e4
Compare
renovate
bot
force-pushed
the
renovate/npm-jquery-ui-vulnerability
branch
5 times, most recently
from
October 15, 2024 18:23
f1103c7
to
aa70d80
Compare
renovate
bot
force-pushed
the
renovate/npm-jquery-ui-vulnerability
branch
3 times, most recently
from
November 15, 2024 19:45
8651030
to
c315e51
Compare
renovate
bot
force-pushed
the
renovate/npm-jquery-ui-vulnerability
branch
6 times, most recently
from
December 3, 2024 23:44
6063d72
to
bf01e10
Compare
renovate
bot
force-pushed
the
renovate/npm-jquery-ui-vulnerability
branch
from
December 4, 2024 06:01
bf01e10
to
c7bd283
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
None yet
0 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
1.12.1
->1.13.2
GitHub Vulnerability Alerts
CVE-2021-41182
Impact
Accepting the value of the
altField
option of the Datepicker widget from untrusted sources may execute untrusted code. For example, initializing the datepicker in the following way:will call the
doEvilThing
function.Patches
The issue is fixed in jQuery UI 1.13.0. Any string value passed to the
altField
option is now treated as a CSS selector.Workarounds
A workaround is to not accept the value of the
altField
option from untrusted sources.For more information
If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.
CVE-2021-41184
Impact
Accepting the value of the
of
option of the.position()
util from untrusted sources may execute untrusted code. For example, invoking the following code:will call the
doEvilThing()
function.Patches
The issue is fixed in jQuery UI 1.13.0. Any string value passed to the
of
option is now treated as a CSS selector.Workarounds
A workaround is to not accept the value of the
of
option from untrusted sources.For more information
If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.
CVE-2021-41183
Impact
Accepting the value of various
*Text
options of the Datepicker widget from untrusted sources may execute untrusted code. For example, initializing the datepicker in the following way:will call
doEvilThing
with 6 different parameters coming from all*Text
options.Patches
The issue is fixed in jQuery UI 1.13.0. The values passed to various
*Text
options are now always treated as pure text, not HTML.Workarounds
A workaround is to not accept the value of the
*Text
options from untrusted sources.For more information
If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.
CVE-2022-31160
Impact
Initializing a checkboxradio widget on an input enclosed within a label makes that parent label contents considered as the input label. If you call
.checkboxradio( "refresh" )
on such a widget and the initial HTML contained encoded HTML entities, they will erroneously get decoded. This can lead to potentially executing JavaScript code.For example, starting with the following initial secure HTML:
and calling:
will turn the initial HTML into:
and the alert will get executed.
Patches
The bug has been patched in jQuery UI 1.13.2.
Workarounds
To remediate the issue, if you can change the initial HTML, you can wrap all the non-input contents of the
label
in aspan
:References
https://blog.jqueryui.com/2022/07/jquery-ui-1-13-2-released/
For more information
If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.
Release Notes
jquery/jquery-ui (jquery-ui)
v1.13.2
: jQuery UI 1.13.2 releasedCompare Source
https://blog.jqueryui.com/2022/07/jquery-ui-1-13-2-released/
v1.13.1
: jQuery UI 1.13.1 releasedCompare Source
https://blog.jqueryui.com/2022/01/jquery-ui-1-13-1-released/
v1.13.0
: jQuery UI 1.13.0 releasedCompare Source
https://blog.jqueryui.com/2021/10/jquery-ui-1-13-0-released/
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.